Billing & Usage

Overview

Pensar offers multiple billing models depending on how you use the platform:

Billing Model	Use Case	How It Works
Credits (pre-paid)	Continuous pentesting via CI/CD, Apex CLI inference	Purchase credits up front; usage deducted per request
One-Time Pentest (self-service)	On-demand pentest of a specific application	Pay-per-scan based on application size

Credits are managed at the workspace level and shared across all billing categories. One-time pentest billing is per-application, per-scan.

All billing configuration is located at Settings > Billing in your workspace.

Credits

Credits are the pre-paid balance used for usage-based billing. They power two categories of usage:

Continuous Pentesting — AI inference consumed during CI/CD-triggered pentests
Apex Inference — AI inference consumed via the Apex CLI through the Pensar managed inference gateway

Each category can be independently enabled or disabled from the Usage settings page.

Purchasing Credits

Navigate to Settings > Billing > Credits in the Console. You must have a payment method on file before purchasing.

Two purchase options are available:

One-Time Purchase

Instantly add credits to your balance. Choose a quick-buy amount ( $10,$ 30, $50,$ 100) or enter a custom amount.

Monthly Subscription

Automatically receive credits each billing cycle. Cancel or reactivate at any time from the billing page.

Auto-Reload

Auto-reload automatically tops up your credit balance when it drops below a configurable threshold. This prevents service interruptions from an empty balance.

Configure auto-reload from Settings > Billing > Auto-Reload Settings:

Setting	Default	Description
Enabled	Off	Toggle automatic top-ups on or off
Threshold	$5.00	Balance level that triggers a top-up
Reload Amount	$25.00	Amount to purchase when triggered

When enabled, auto-reload uses your default payment method. A deduplication window prevents duplicate charges if multiple requests fire in quick succession.

Credit Deductions

Every AI inference request records:

The model used
Input and output token counts
Calculated cost (base model pricing + 15% Pensar markup)
Billing category (ci or apex)
Caller identity (user or API key)

Cost is deducted atomically from your credit balance after each inference request completes.

Pre-Flight Credit Checks

Before each AI inference request, a pre-flight check verifies that your workspace has sufficient credits. If the balance is insufficient, the request is rejected with a 402 Insufficient Credits response.

A negative balance margin of $0.50 allows in-flight requests to complete even if they slightly exceed the remaining balance. This prevents request failures when a balance is nearly but not fully depleted.

One-Time Pentest Billing

One-time pentests are billed per application, per scan. This model is designed for customers who want a single pentest engagement without ongoing usage-based billing.

Pricing

Component	Price
Base price (per application, up to 100 endpoints)	$5,000
Additional endpoints (per 50 endpoints beyond baseline)	$100

An application maps to an entry in the applications table discovered during attack surface reconnaissance
Price is per application, per scan — repeat pentests on the same application are charged again
Promo codes and discounts can be applied

Flow

Create Project

Connect your GitHub repository or upload a zip archive to create a new project.

Attack Surface Recon

Pensar automatically runs reconnaissance to discover applications and endpoints in your codebase.

Auto-Generated Quote

On recon completion, a quote is automatically generated based on discovered application and endpoint counts.

Payment Notification

You receive an email notification that your quote is ready, with a link to the payment page.

Complete Payment

Pay via the inline payment form in the Console. The payment link can also be shared with another team member (e.g., finance) to complete payment on your behalf.

Launch Pentest

Once payment is confirmed, the “Run Pentest” button is enabled and you can launch a pentest.

Pentest launch is gated on payment — the scan cannot start until payment is confirmed.

Scope

Applies to all pentests regardless of sources provided
Available to both new and existing customers — there is no separate onboarding path
Zip upload is supported during project creation alongside GitHub/GitLab/Bitbucket integration

Continuous Pentesting (CI/CD)

When a pentest is triggered via the CI/CD integration, AI inference tokens are tracked and deducted from your workspace credit balance. This only applies to CI-triggered pentests — manual pentests launched from the Console UI do not consume credits.

Enabling CI Billing

Add Payment Method

Navigate to Settings > Billing and add a payment method if you haven’t already.

Enable Category

Toggle Continuous Pentesting to “Enabled” on the Settings > Usage page.

Purchase Credits

Buy credits via one-time purchase or subscription from the Billing page.

Trigger Pentests

Pentests triggered through the CI/CD pipeline will now deduct from your credit balance.

When a payment method is added for the first time, both billing categories (CI and Apex) are automatically enabled.

Apex Inference

The Apex CLI can connect to Pensar-managed AI models via the /auth command. Every inference request made through the Pensar gateway is tracked and deducted from your workspace credit balance.

For details on connecting Apex to your workspace, see the Apex /auth command documentation.

Per-User / Per-API-Key Tracking

Usage is attributed to the authenticated caller:

User authentication (via /auth) — usage is tagged with the user ID and display name
API key authentication — usage is tagged with the API key ID and name

This breakdown is visible in the Usage by User / API Key table on the Usage page under the Apex Inference section.

Enabling Apex Billing

Add Payment Method

Navigate to Settings > Billing and add a payment method.

Enable Category

Toggle Apex Inference to “Enabled” on the Settings > Usage page.

Purchase Credits

Buy credits via one-time purchase or subscription.

Connect Apex

Run /auth in Apex to connect your CLI to the workspace. Select the workspace and confirm billing. See Apex /auth documentation for the full walkthrough.

Payment Methods

Manage your payment methods from Settings > Billing > Payment Methods.

Add credit or debit cards via the inline Stripe Elements form
Set a default payment method for subscriptions and auto-reload
Remove cards that are no longer needed
Access the Stripe Customer Portal for advanced billing management

Viewing Usage

Billing Page

The Settings > Billing page shows:

Credit balance — current available credits
Period usage — combined cost and token counts for the current billing period
Purchase credits — one-time or subscription purchase widget
Auto-reload settings — threshold and reload amount configuration
Payment methods — saved cards with add/remove/default controls
Invoices — paginated historical payment and billing records from Stripe

Usage Page

The Settings > Usage page provides per-category breakdowns:

Continuous Pentesting

Period cost, token counts, models used, and request count for CI-triggered pentests.

Apex Inference

Period cost, token counts, models used, request count, and a per-identity breakdown showing usage by each user or API key.

Each category includes an enable/disable toggle. A payment method must be on file to enable a category.

Invoices

All payments — one-time credit purchases, subscription renewals, auto-reload charges, and one-time pentest payments — generate Stripe invoices. These are listed on the Settings > Billing page with pagination.

For full invoice management, use the Stripe Customer Portal link on the billing page.

Access Control

Billing and usage pages are restricted to workspace admins and owners. Members with the member role cannot view or modify billing settings.

Billing is gated behind a feature flag (enableUsageBasedBilling) that is enabled per-workspace.

FAQ

What happens if I run out of credits?

Inference requests are rejected with a 402 Insufficient Credits response. Configure auto-reload to prevent interruptions, or purchase credits manually from the Billing page.

Are credits shared across categories?

Yes. Credits are pooled at the workspace level and shared between Continuous Pentesting and Apex Inference. You can enable or disable each category independently.

Do manual pentests from the Console consume credits?

No. Only CI/CD-triggered pentests consume credits. Pentests launched manually from the Console UI are not billed against the credit balance.

Can I disable billing for a specific category?

Yes. Navigate to Settings > Usage and toggle the category off. This prevents charges for that category while keeping the other active.

How is Apex usage tracked per user?

When a user authenticates via /auth in the Apex CLI, their inference requests are tagged with their user identity. API key-authenticated requests are tagged with the key ID. Both appear in the Usage by User / API Key table.

Can someone else pay for my one-time pentest?

Yes. The payment link can be shared so another team member (e.g., finance) can complete the payment on your behalf.

What if my endpoint count changes after a quote is generated?

Quotes are locked once generated. Handling quote changes due to re-reconnaissance is a planned future improvement.